Malicious PDF — malware analysis report

Static analysis result for SHA-256 c08aed75b51eabad…

MALICIOUS

PDF

78.3 KB Created: 2021-06-12 11:28:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-24
MD5: fbd8940d44248e22d88838ffabb34fc7 SHA-1: 3bc2fc5cc6106e0d7dc37e621de27f3b92cde683 SHA-256: c08aed75b51eabadd1ba4cdbf3b850f12ac46c4c25a13e03da6850bea78c8988
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external websites, many of which appear to be hosted on compromised WordPress installations. The 'utm_term' parameter in one URL suggests a phishing or SEO manipulation tactic. ClamAV detection and ML classification confirm the malicious nature of the file, indicating it's likely a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6734

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=beauty+and+the+beast+bangla+subtitle PDF link annotation
    • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/d39e8q9vakmgnmqr2ls59dej01/72719410079.pdfIn PDF document text
    • https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/b4102cc124075c1b237e0a2d6efb145e/kupamedirififorumudefudez.pdfIn PDF document text
    • https://forkidsvietnam.vn/wp-content/plugins/super-forms/uploads/php/files/kqqm3nn34ng4kq5230c0f0cca3/jitopipugajebose.pdfIn PDF document text
    • https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/3072a6f77817b489e842787a420674c5/52310632167.pdfIn PDF document text
    • https://astoriareiki.com/wp-content/plugins/super-forms/uploads/php/files/9f7b925ca0cedbfea24672cd8ef7e910/52168893326.pdfIn PDF document text
    • http://www.patricktennis.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b666aebbcfa---68859542476.pdfIn PDF document text
    • http://zahradysnapady.cz/soubory/files/63704484050.pdfIn PDF document text
    • https://englewoodgrassfarm.com/wp-content/plugins/super-forms/uploads/php/files/92073d3f06b82812ad05d092b62d1e2f/21659445753.pdfIn PDF document text
    • https://fellowpeo.com/wp-content/plugins/super-forms/uploads/php/files/f7131f216c0b932a15c07ba726c2de35/11790673797.pdfIn PDF document text
    • https://avenue102.com/uploads/file/87871116905.pdfIn PDF document text
    • http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cab463d546---30065951964.pdfIn PDF document text
    • https://harpethvalleyhealth.com/wp-content/plugins/super-forms/uploads/php/files/35aba174eda3accd6c187bdfcac442b6/51592639454.pdfIn PDF document text
    • https://www.die-umzugsfabrik.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c5e8fb8d36---6430424118.pdfIn PDF document text
    • http://dom-nenilovo.ru/wp-content/plugins/super-forms/uploads/php/files/b14e6d105e89c3d9e599b194fb91332d/kesozaraxeka.pdfIn PDF document text
    • http://westmoorclassof1965.com/clients/5/52/52ec68f2b927accf75267cb07bfcc891/File/tekebabuk.pdfIn PDF document text
    • http://www.radiopopiatej.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1bfea17748---39617392230.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4C6 5284 bytes
SHA-256: 9e4d9265367026a548c2543346d177c6a4b2b0642f9f1c4c6bde957e86bb965b
font_01_sfnt_off0000f6be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6BE 14332 bytes
SHA-256: 1e539d30cea965936409f7d5c976d60aa30c809c3cfea23ab0a68eadd2ae18de